Anti-spoofing measure embedded at internet root

The organisations that run the servers at the heart of the internet have taken a step closer to a web without DNS spoofing.

The secure domain name server (DNS) protocol DNSSEC guarantees the authenticity of the mechanism that converts human-friendly internet addresses to the Internet Protocol's numeric address system. DNSSEC will be used to sign the root zone in all 13 internet root servers for the first time on Wednesday, according to DNSSEC.net.

DNSSEC is designed to allow internet servers to validate the authenticity of responses to queries and thus prevent spoofing, where fakes from third-party servers masquerade as proper addresses. DNSSEC works by digitally signing responses to lookup queries, and is designed to stop attacks such as DNS cache poisoning.

From Wednesday, DNSSEC will be used to sign the internet root zone. However, it will not be used to fully validate DNS responses until 1 June.

The DNSSEC-signed root zone will until 1 June be called the DURZ, or the Deliberately Unvalidatable Root Zone, according to a post on the Root DNSSEC website on Monday. From Wednesday, a DNSSEC-aware client will be able to look up a domain in the .org namespace, and can follow a signed delegation path, according to DNSSEC.net.

The DURZ has been brought in to test whether organisations have any problems with DNSSEC before the full rollout in June, according to Internet Systems Consortium (ISC), which administers one of the root servers. ISC warned that possible side effects of having a signed root zone may come about because DNS responses will contain more information than before. DNS devices are by default configured to only accept responses of 512 bytes or less. The EDNS0 DNS extension allows devices to accept responses larger than 512 bytes and IP fragments; however, many devices are not configured with the extension. This could lead to packet loss in networks which aren't configured to accept the larger responses.

The DURZ has been rolled out gradually across the 13 root servers, in a process which started in January. Root server L began to serve the DURZ on 27 January 2010, while root server J began to serve DURZ on Wednesday.

Infrastructure and access analyst Andy Buss of Freeform Dynamics told ZDNet UK on Wednesday that the DURZ rollout "may cause some pain" to IT professionals, but that it was a step towards making the internet safer by strengthening one of its underlying protocols.

"It's the start of a necessary set of steps to protect the DNS infrastructure from spoofing," said Buss. "It may cause some pain while people adjust their firewalls or DNS servers internally, but it's a necessary change for a more secure internet."

Buss said that businesses so far had not experienced any major disruption due to DURZ being rolled out, but nevertheless he advised IT professionals and sysadmins to keep an eye on traffic coming in and out of their networks and if necessary to liaise with internet service providers, if there were any problems.

VeriSign on Wednesday welcomed the DNSSEC signing of the root zone. "Today marks an important milestone in the deployment of DNSSEC," said a VeriSign spokesperson. "The J root has been converted to serving the signed root."

Simon McCalla, IT director at .uk registry Nominet, told ZDNet UK on Thursday that the DNSSEC root signing should have minimal impact on businesses.

"DNSSEC has been at the root of .uk for two months, and we find this is working pretty well," said McCalla. "Businesses shold expect no change [on 1 June]."